Tags

v0.4.11

ZealPHP v0.4.11

- WordPress $wp_object_cache lost-global under coroutine-legacy concurrency FIXED
  (consumed via ext-zealphp 0.3.57): wp_start_object_cache() `static $first_init`
  leaked across coroutines → switch_to_blog()-on-null. Request-begin function-static
  refresh + in-place end-reset. WP c8x200=200/200, c16x480=480/480, RSS flat.
- With the $wpdb-null Phase R fix (v0.4.10 / ext 0.3.56), unmodified WordPress now
  serves clean under coroutine-legacy concurrency.
- New App::runRequestStaticsBeginRefresh() helper (unit-tested); session managers
  call it under the perRequestStateResetsActive() gate.

v0.4.10

ZealPHP v0.4.10

- $wpdb-null functional concurrency race RESOLVED (consumed via ext-zealphp 0.3.56 Phase R): deep-frame global CV convergence; WP prepare()-on-null 160->0.
- #438: RedisSessionHandler per-coroutine \Redis FD leak fixed via Coroutine::defer close (no more maxclients exhaustion).
- Patched-opcache coroutine-legacy recipe complete (ZEALPHP_PATCH_OPCACHE: enable_cli + dups_fix + validate_timestamps=0) — unmodified WordPress leak-free under coroutine-legacy.
- USE_ZEND_ALLOC=0 reframed as a non-fix (canonical doc); production fix is max_request recycle.
- Guru issue wave (#432 + siblings, #435) folded in.

v0.4.9

Release v0.4.9

The cold-concurrent worker-corruption class is closed (ext pin v0.3.52,
S5b v2 per-coroutine object-static isolation — ext#44/#48/#49). Rolls the
large cluster since 0.4.0: session security + correctness, exit/die
HaltException, #379 session persistence, the output-buffer 0-byte-body fix,
ZealAPI scope + mode-aware null, the isolation-stage taxonomy, and the
just-works roadmap. Also: uniform $app->App-instance injection, per-verb
route helpers, README stars-badge fix, Cache stampede-lock test-isolation
fix.

v0.4.8

Release v0.4.8

- RequestContext::__isset()/__unset() — truthful isset() on unset-and-proxied
  superglobal slots (coroutine-legacy populate, #346 Apache bridge). Closes the
  ext-zealphp#42 residual: $g->server['X'] ?? fallback no longer silently takes
  the fallback, and app-side defensive guards (if (!isset($g->server))
  $g->server = [];) can no longer wipe the live $_SERVER through __set.
  Root-caused + verified live on the labs parity rig — full original #42 route
  table green, LEGACY byte-equivalent to COROUTINE mode.
- __unset stays a no-op for proxied names so framework slot-detach can never
  escalate into superglobal deletion (a re-bridge nuked $_ENV pre-guard).
- CHANGELOG hygiene: stray [Unreleased] entries re-homed (locale/umask -> 0.4.6,
  TableSessionHandler -> 0.4.5), preamble deduped.

v0.4.7

Release v0.4.7 — coroutine-legacy correctness batch

ext-zealphp pin -> v0.3.46.

- App::go() + automatic request-context inheritance for child coroutines (ext#42)
- Fatal->500 guard: a worker-killing fatal answers in-flight connections with HTTP 500 instead of HTTP 000 (#338)
- coroutine-legacy correctness batch via ext 0.3.41-0.3.46: per-request-state claim-set gate (ext#37), $_SERVER post-yield integrity (ext#40/#41), child superglobal lane (ext#42), define() constant-leak fix (0.3.44), per-coroutine tz/mb/libxml isolation (0.3.45), mysqlnd vio orig_path allocator shim that eliminates the WordPress teardown zend_mm_heap corruption (ext#44)
- Cold-autoload duplicate-CE crash fixed via master-side request-path preload
- Include-boundary $g mutation loss (ext#43), Apache $g superglobal bridge (#346), ZealAPI null->404 parity (#347)

v0.4.6

Release v0.4.6

- Package renamed: sibidharan/zealphp → zealphp/zealphp (Packagist
  vendor namespace). GitHub repo unchanged. composer.json 'replace'
  keeps sibidharan/zealphp resolvable in mixed graphs; the old
  Packagist package serves all existing tags forever (abandoned with
  replacement pointer). Install commands now read
  'composer create-project zealphp/project' and 'pie install
  zealphp/ext'.

v0.4.5

Release v0.4.5

- Session-correctness sweep: regenerate-id sid desync (broke
  session_regenerate_id(true) login flows in every mode), strict-mode
  rotation of issued-but-empty sessions, and superglobal OWNERSHIP gating
  with ext-zealphp 0.3.36/0.3.37 — the go()-child steal (first-request
  501s, #332) and the service-coroutine restore wipe (ext#32). Session
  counters deterministic across bare Mode 4 + coroutine-legacy on
  PHP 8.3 + 8.4.
- Security: WS rooms/routing follow session auth (#234), ScopedMiddleware
  path-normalization bypass (#232), IpAccessMiddleware trusted proxies
  (#239).
- mod_php parity: REQUEST_URI query string (#306), $_COOKIE treat-data
  (#305), $_FILES field-major (#304), Basic-auth $_SERVER (#307),
  Set-Cookie byte-parity + SameSite=None warning (#293/#319), raw
  status-line passthrough (#327), filter_input in CGI workers (#316).
- Pool cold-start TOCTOU connection leak (#322), sendFile delegates to
  ConditionalRequest + MimeResolver (#321/#317), per-coroutine CWD
  isolation (#323, ext 0.3.35), quick-wins #308-#311/#318/#320,
  fcgi hang (#289), session handlers in coroutine mode (#295).
- ext-zealphp default pin -> v0.3.37.

v0.4.4

Release v0.4.4 — RedisSessionHandler coroutine-safety (#285)

Fixed:
- #285 (follow-up to #271): RedisSessionHandler open/read/write/destroy no longer
  fatal 'API must be called in the coroutine' when the session save-handler chain
  fires outside a request coroutine under superglobals(true) + HOOK_ALL without
  enableCoroutine(true). Each Redis op now runs inside Coroutine::run() when outside
  a coroutine (reusing the persistent fallback so WATCH/MULTI/EXEC spans read->write);
  per-coroutine path (issue #16) unchanged.

Validated on PHP 8.4 + OpenSwoole 26.2.0 + phpredis 6.3. No ext-zealphp change (stays v0.3.33).

v0.4.3

Release v0.4.3 — migration-hardening

Security:
- #240 reserved framework-object params bind before same-named URL segments

Fixed:
- #260 CGI workers preserve multiple same-name response headers
- #261 cgiMode('fcgi') no longer fatals every request (coroutine-wrapped FastCGI)
- #270/#274 $g->server CGI/SAPI vars at worker start + per-request UNIQUE_ID
- #271 RedisSessionHandler connects lazily (no HOOK_ALL fatal in onWorkerStart)
- #26 boot-time $GLOBALS visible to all request coroutines (needs ext-zealphp 0.3.33+)

Plus the architecture-review hardening pass (backpressure, sessions, cross-node fabric).
Companion: ext-zealphp v0.3.33.

v0.4.2

Release v0.4.2 — security + correctness audit fixes + ext-zealphp 0.3.32

- Security: open-redirect block-by-default (#243), clientIp() XFF-spoof fix (#249),
  CIDR fail-closed (#248), access-log CRLF escaping (#250), CGI pool env / httpoxy (#257),
  session-fixation strict-mode (#244), Memcached object-injection (#251)
- Fixed: Store/Counter backends (#241 #242 #252 #254 #255 #256), HTTP/WS (#246 #247
  #253 #258 #259 #260), #227 reset-gate corruption
- ext-zealphp 0.3.32: IS_INDIRECT $GLOBALS isolation, superglobal session-leak reset,
  constant + class-static UAF, include-isolation + require_global (#8-#18), ASAN+Valgrind
- Docs: coroutine-isolation security-research guide
- Two behaviour changes (redirect, clientIp), both security-motivated

v0.4.1

Release v0.4.1 — REST::response() default, CLI dashed subcommands, template IDE docs, llms.txt refresh

v0.4.0

Release v0.4.0

First-class HTMX support:
- App::renderHtmx() — htmx-aware fragment / full-page rendering (HX-Target derived)
- HtmxResponse::triggerJSON() + chain-back response()
- Consolidated HTMX guide (docs/htmx.md + /htmx page), already had full HX-* header coverage

Also:
- $req / $res handler-parameter aliases (route / api / fallback / template closures)
- Env config for the whole CGI subprocess pool (ZEALPHP_CGI_WORKERS + 4 more)
- Foreground start banner for a plain 'php app.php'
- Redesigned scaffold: Terminal-Luxury theme + live htmx playground

v0.3.9

Release v0.3.9

Scale + hardening release (re-cut from the mis-numbered v0.4.0 — same content, corrected version per the project's patch cadence).

Features: DbConnectionPool (PDO + mysqli) · Store::eval() + per-room server-set (cross-node fan-out B1) · Stage 8 App::globalScopeInclude() (experimental).
Scale fix: sharded TableSessionHandler write lock.
Hardening: session / cache / store-counter / WebSocket / pub-sub-middleware / RedisStreams / in-memory-session audit batches.
BC: HaltException extends \Error (#194); Counter::raw() returns Atomic\Long (64-bit).

v0.3.8

Release v0.3.8

- App::cgiMode('fork') — Apache MPM-prefork-style CGI runner (fresh child per
  request, true global scope, no 'Cannot redeclare').
- Per-route CGI backend — the backend: route option + App::cgiBackendAlias().
- Patched-opcache Docker build (ZEALPHP_PATCH_OPCACHE) keeping opcache fully on
  in coroutine-legacy for require_once apps (php-src#22214 function-dups fix).
- WordPress media uploads + wp-admin/Gutenberg in the cgi-pool/cgi-proc modes.

v0.3.7

Release v0.3.7

- src/App.php broken down 9690→~7600 lines: ResponseMiddleware, CLI, CGI\Dispatcher,
  Middleware\Pipeline\*, LocationHeaderMiddleware, TemplateUnavailableException extracted
  (run() decomposed into registerOnRequest/WorkerStart/WorkerStop — zero logic change)
- route() ergonomics: handler accepted as the last positional arg (no handler: keyword)
- Per-route + App::when() path-scoped middleware, in-file $middleware for api files
- Dev route hot-reload (--dev / ZEALPHP_DEV=1 / App::devReload) + CLI docs
- phpinfo redesign: Apache-parity system/extension/environment sections + sticky TOC
- Per-user log-dir fallback (resolve_log_dir) when /tmp/zealphp is root-owned
- ext-zealphp pinned to v0.3.25 across setup.sh + Dockerfile
- Fixes: #164 (RequestContext array superglobal __get), #157 (root-level api 404),
  #155 (registerCgiBackend exec_paths validation)

v0.3.6

Release v0.3.6 — coroutine-legacy per-request state-reset stack + opcache advisory

Completes the PHP-FPM "fresh process per request" contract for the require_once-legacy class.
- ext-zealphp 0.3.25: per-request function-static + class-static reset (mirror shutdown_executor); free_zend_constant worker-exit fix.
- App::opcacheLegacyBootCheck() advisory for opcache + coroutine-legacy.
- Validated PHP 8.4 + ASAN across a 12-app sweep; WordPress serves public + login-auth + comment-write end-to-end.
- phpt 38/38, PHPStan L10, phpunit 3225/3225.

v0.3.5

Release v0.3.5 — coroutine-legacy compatibility runtime

- ext-zealphp 0.3.17: per-coroutine isolation of every request-state
  primitive (7 superglobals, $GLOBALS / global $x, function-local static $x,
  define(), ini_set, putenv/getenv, silent function/class redeclare,
  require_once/include_once) via dlsym'd OpenSwoole on_yield/on_resume/
  on_close scheduler hooks. NTS-only.
- App::mode('coroutine-legacy'|'legacy-cgi'|'coroutine'|'mixed') one-knob
  lifecycle + App::isolation(); six standalone isolation setters.
- TableSessionHandler + App::sessionHandler/sessionMaxRows/sessionTtl —
  concurrent-safe sessions via 3-way (base/disk/memory) merge.
- Fix: isolate global-keyword vars per coroutine on PHP 8.4/8.5
  (Stage-2 IS_REFERENCE deref); auto-drop HOOK_FILE under silentRedeclare+
  coroutine; executeFile() chdir; ext security hardening passes 1+2;
  pool worker survives exit()/die() (FD-3 IPC).
- Known limitation (HAZARD-2): coroutine-legacy CODE isolation on PHP
  8.4/8.5 has a pre-existing heap-corruption race under heavy concurrent
  class autoloading (not a state leak; absent on 8.3). STATE isolation is
  solid on 8.3/8.4/8.5.

v0.3.4

Release v0.3.4

- Disabled zealphp_coroutine_superglobals() — dlsym hooks cause SIGSEGV
- Session: _session_started flag, CoSessionManager for ec=true, dedup PHPSESSID
- 10/12 lifecycle modes pass 7/7

v0.3.3

Release v0.3.3

Bug fixes (14 issues closed):
- #133/#135: Pool worker READY handshake — loop-read stderr, skip warnings
- #134: Use CoSessionManager when coroutines enabled (SessionManager races)
- #136: Duplicate PHPSESSID — _session_started flag + static save handler guard
- #137: Reject sg(false)+ec(false) at boot (CoSessionManager needs scheduler)
- #143: ZEALPHP_CGI_MODE=pool no longer parsed as proc
- #142: python3 CGI backend conditional (skip when not installed)
- #141: uopz skip guards for ext-zealphp-only environments
- #140: CI builds ext-zealphp from pinned submodule
- #138: Isolation scope documented (superglobals only, not $GLOBALS)
- #132: Copy button works on all pages (moved to global JS)
- #130: exec_paths docblock added to registerCgiBackend()
- #139: Mode 6 co-state fixture — closed as expected behavior
- Reverted premature auto-enable coroutines for sg(true)
- Removed auto-wired zealphp_define_hook/constants_clear

ext-zealphp v0.3.1:
- define() isolation, $GLOBALS isolation, process-state snapshot/clean
- Zombie class fix for static property cleanup

v0.3.2